Skip to content

misc: Add ingress policy name in log #1292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 29, 2025
+10 −8
Merged

misc: Add ingress policy name in log #1292

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 10 additions & 8 deletions cilium/filter_state_cilium_policy.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,8 +60,9 @@ bool CiliumPolicyFilterState::enforceNetworkPolicy(const Network::Connection& co
auto ingressPortPolicy = policy.findPortPolicy(true, port_);
if (!ingressPortPolicy.allowed(ingress_source_identity_, sni)) {
ENVOY_CONN_LOG(debug,
"Ingress network policy DROP for source identity: {} port: {} sni: \"{}\"",
conn, ingress_source_identity_, destination_port, sni);
"Ingress network policy {} DROP for source identity and destination "
"reserved ingress identity: {} port: {} sni: \"{}\"",
conn, ingress_policy_name_, ingress_source_identity_, destination_port, sni);
return false;
}
}
Expand All @@ -70,8 +71,9 @@ bool CiliumPolicyFilterState::enforceNetworkPolicy(const Network::Connection& co
auto egressPortPolicy = policy.findPortPolicy(false, destination_port);
if (!egressPortPolicy.allowed(destination_identity, sni)) {
ENVOY_CONN_LOG(debug,
"Egress network policy DROP for destination identity: {} port: {} sni: \"{}\"",
conn, destination_identity, destination_port, sni);
"Egress network policy {} DROP for reserved ingress identity and destination "
"identity: {} port: {} sni: \"{}\"",
conn, ingress_policy_name_, destination_identity, destination_port, sni);
return false;
}
}
Expand Down Expand Up @@ -118,16 +120,16 @@ bool CiliumPolicyFilterState::enforceHTTPPolicy(const Network::Connection& conn,
// Enforce ingress policy for Ingress, on the original destination port
if (ingress_source_identity_ != 0) {
if (!policy.allowed(true, ingress_source_identity_, port_, headers, log_entry)) {
ENVOY_CONN_LOG(debug, "Ingress HTTP policy DROP for source identity: {} port: {}", conn,
ingress_source_identity_, port_);
ENVOY_CONN_LOG(debug, "Ingress HTTP policy {} DROP for source identity: {} port: {}", conn,
ingress_policy_name_, ingress_source_identity_, port_);
return false;
}
}

// Enforce egress policy for Ingress
if (!policy.allowed(false, destination_identity, destination_port, headers, log_entry)) {
ENVOY_CONN_LOG(debug, "Egress HTTP policy DROP for destination identity: {} port: {}", conn,
destination_identity, destination_port);
ENVOY_CONN_LOG(debug, "Egress HTTP policy {} DROP for destination identity: {} port: {}",
conn, ingress_policy_name_, destination_identity, destination_port);
return false;
}
}
Expand Down
Loading